Re: acl basics from Vladimir Osipenko on 2011-07-06 (Ccielab archives 07/2011)

From: Vladimir Osipenko <tiffolk_at_gmail.com>
Date: Wed, 6 Jul 2011 11:07:08 +0400

Yes, you are right =), differs from route managing).

On 6 July 2011 11:00, Aaron Riemer <ariemer_at_amnet.net.au> wrote:
> permit just allows the packets to be policy routed while deny will skip the
> policy route and make normal routing table decisions?
>
> That's the way I thought it was anyway.
>
> Cheers,
>
> -Aaron.
>
> -----Original Message-----
> From: Vladimir Osipenko [mailto:tiffolk_at_gmail.com]
> Sent: Wednesday, 6 July 2011 2:44 PM
> To: Aaron Riemer
> Cc: Brian McGahan; Cisco certification
> Subject: Re: acl basics
>
> But when you use PERMIT in route-map, counters increase:
>
> R1#sh ip local policy
> Local policy routing is enabled, using route map BLOCK_EIGRP
> route-map BLOCK_EIGRP, permit, sequence 10
> Match clauses:
> ip address (access-lists): 105
> Set clauses:
> Policy routing matches: 4 packets, 254 bytes
>
>
> But DENY:
>
> R1#sh ip local policy
> Local policy routing is enabled, using route map BLOCK_EIGRP
> route-map BLOCK_EIGRP, deny, sequence 10
> Match clauses:
> ip address (access-lists): 105
> Set clauses:
> Policy routing matches: 0 packets, 0 bytes
>
> Hmmm, interesting.
>
>
> On 6 July 2011 10:35, Vladimir Osipenko <tiffolk_at_gmail.com> wrote:
>> Even I created local policy with math any route-map deny, it didn't
>> block any eigrp traffic. No counters increased.
>> Blocking EIGRP traffic on incoming interface on the other router
>> works, but leads to eigrp status flapping.
>>
>> R1#sh ip local policy
>> Local policy routing is enabled, using route map BLOCK_EIGRP
>> route-map BLOCK_EIGRP, deny, sequence 10
>> Match clauses:
>> Set clauses:
>> Policy routing matches: 0 packets, 0 bytes
>>
>>
>> On 6 July 2011 10:14, Aaron Riemer <ariemer_at_amnet.net.au> wrote:
>>> Didn't save the config but essentially it looked like this.
>>>
>>> access-list 101 permit eigrp any any
>>> !
>>> route-map eigrp-block
>>> match ip address 101
>>> set interface null0
>>> !
>>> ip local policy route-map eigrp-block
>>> !
>>>
>>> Let me know what you find. Maybe I can't use set interface null0 for
> local
>>> policy route map?
>>>
>>> Cheers,
>>>
>>> -Aaron.
>>>
>>> -----Original Message-----
>>> From: Vladimir Osipenko [mailto:tiffolk_at_gmail.com]
>>> Sent: Wednesday, 6 July 2011 1:29 PM
>>> To: Aaron Riemer
>>> Cc: Brian McGahan; Cisco certification
>>> Subject: Re: acl basics
>>>
>>> Aaron, are you sure? Show us your config, please.
>>>
>>> I googled and found http://betep.wpl.ru/2011/04/do-you-know-what.html
>>>
>>> I will check myself later.
>>>
>>> On 6 July 2011 04:13, Aaron Riemer <ariemer_at_amnet.net.au> wrote:
>>>> Just tested this now. Local policy routing does not have any impact on
> any
>>>> locally generated EIGRP packets.
>>>>
>>>> Thanks Brian.
>>>>
>>>>
>>>> Cheers,
>>>>
>>>> -Aaron.
>>>>
>>>> -----Original Message-----
>>>> From: Brian McGahan [mailto:bmcgahan_at_ine.com]
>>>> Sent: Tuesday, 5 July 2011 11:47 PM
>>>> To: Vladimir Osipenko
>>>> Cc: Aaron Riemer; Cisco certification
>>>> Subject: Re: acl basics
>>>>
>>>> Try it and let us know your results.
>>>>
>>>> Brian McGahan, CCIE #8593 (R&S/SP/Security)
>>>> bmcgahan_at_INE.com
>>>>
>>>> Internetwork Expert, Inc.
>>>> http://www.INE.com
>>>>
>>>> On Jul 5, 2011, at 1:47 AM, "Vladimir Osipenko" <tiffolk_at_gmail.com>
> wrote:
>>>>
>>>>> Won't "ip local policy" block router traffic?
>>>>>
>>>>> On 5 July 2011 09:34, Aaron Riemer <ariemer_at_amnet.net.au> wrote:
>>>>>> Interesting. Thanks guys much appreciated!
>>>>>>
>>>>>> -Aaron.
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> Of
>>>>>> Brian McGahan
>>>>>> Sent: Tuesday, 5 July 2011 12:41 PM
>>>>>> To: Aaron Riemer
>>>>>> Cc: Cisco certification
>>>>>> Subject: Re: acl basics
>>>>>>
>>>>>> Locally generated packets are not subject to ACLs applied outbound on
> an
>>>>>> interface. It has to do with the order of operations of the classifier
>>> on
>>>>>> the interface. You'd see the same result if you said "deny ip any any"
>>> in
>>>>>> your list.
>>>>>>
>>>>>> Local policy routing won't work unless it's a much older IOS version,
> as
>>>>>> local control plane traffic is not subject to local policy routing
>>>> anymore.
>>>>>>
>>>>>> The workaround is simply that you have to apply the ACL in on the
> other
>>>>>> side.
>>>>>>
>>>>>> HTH,
>>>>>>
>>>>>> Brian McGahan, CCIE #8593 (R&S/SP/Security)
>>>>>> bmcgahan_at_INE.com
>>>>>>
>>>>>> Internetwork Expert, Inc.
>>>>>> http://www.INE.com
>>>>>>
>>>>>> On Jul 4, 2011, at 10:52 PM, "Aaron Riemer" <ariemer_at_amnet.net.au>
>>> wrote:
>>>>>>
>>>>>>> Hey guys,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I am playing with EIGRP and wanted to mess with some ACLs to verify
> my
>>>>>>> understanding of the query and reply process.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I have an ACL below on one router where I am hoping to allow eigrp
>>>>>> multicast
>>>>>>> packets but deny any unicast.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ip access-list extended block-eigrp
>>>>>>>
>>>>>>> permit eigrp any host 224.0.0.10
>>>>>>>
>>>>>>> deny eigrp any any
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> interface serial0/0
>>>>>>>
>>>>>>> ip access-group block-eigrp out
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> This doesn't seem to block router EIGRP unicast packets at all. I
> have
>>>> got
>>>>>>> around this by blocking at the other end in the 'in' direction but I
> am
>>>>>> just
>>>>>>> curious as to why this isn't working.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> My thoughts are it has something to do with the fact that the traffic
>>> is
>>>>>>> originated from the router itself and as such is not subject to the
>>>> rules
>>>>>> of
>>>>>>> the ACL. No matches on the ACL seems to confirm this.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Local policy routing?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -Aaron.
>>>>>>>
>>>>>>>
>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>
>>>>>>>
> _______________________________________________________________________
>>>>>>> Subscription information may be found at:
>>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>
>>>>>>
>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>
>>>>>>
> _______________________________________________________________________
>>>>>> Subscription information may be found at:
>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>
>>>>>>
>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>
>>>>>>
> _______________________________________________________________________
>>>>>> Subscription information may be found at:
>>>>>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 06 2011 - 11:07:08 ART

This archive was generated by hypermail 2.2.0 : Mon Aug 01 2011 - 06:30:05 ART